SimBad adware campaign discovered on the Play Store, then deleted

Virus and malware are almost synonymous but there is another type we don’t always feature. We sure have mentioned similar circumstances but most of them are for malware. Adware is present everywhere although we don’t usually focus on it. There hasn’t been much adware but we remember those Game, TV, Remote Control apps tagged as adware in disguise as reported earlier in January. The last one made some core apps turn to adware on Alcatel phones. This time, Check Point researchers are presenting the SimBad Adware Campaign that’s been lurking on the Play Store.

This particular campaign has been discovered by the Mobile Threat Team of Check Point. Adware was found in about 206 apps that reached 150 million downloads. Now that is a lot of downloads there but as soon as Google learned of the problem, it deleted the apps right away.

The apps are said to have gotten inside the apps because of the ‘RXDrioder’ Software Development Kit (SDK). This one came from addroider[.]com which is a known ad-related SDK.

Unfortunately, developers were not aware of the danger so they went on to use the malicious SDK before. It’s called SimBad because most of the apps are simulator games. Once installed, SimBad registers ‘BOOT_COMPLETE’ and ‘USER_PRESENT’. This then tells the app to do other actions and perform commands coming from a Command and Control (C&C) server.

The researchers discovered that it made the phones remove the icon from the launcher so uninstalling will be difficult. The end result then was background ads being display and browsers with a URL being opened automatically.

Simply put, SimBad can do the following: Show Ads, Phishing, and Exposure to other apps. It’s not ideal and not welcome so we’re glad the adware is gone. Ads may seem safe but the adware could become a bigger threat someday.